Considering a lot of RIA apps run on IIS with SQL this headline caught my attention.
So far one of the best write ups is from Wired . However the article ends with: "So far there have been no details about who is behind the attacks."
However further internet searching revealed that this most like came from China. From the iis.net forums we learned that <<the domain nihaorr1.com was registered. IP geolocation shows this machine in Beijing, China>> www.nihaorr1.com/1.js is where the javascript originated. (We learned from Tolffer's latest book:Revolutionary Wealth: How it will be created and how it will change our lives that the chinese gov't is training the People's Liberation Army in Information warfare.)
Even though the "great firewall" of China filters out Google searches it is OK for using Google to find SQL Injection vulnerable sites.The latest advisory for this is here: http://www.microsoft.com/technet/security/advisory/951306.mspx
It really looks like a clever attack ... a very generic approach to just find all sites on IIS with ASP that have a potential SQL Injection attack. (Any ASP code that posts to a SQL database that does not validate the input. From the iis.net forum:<<Looks like someone is doing a lot of script code injection into a lot of vulnerable (read: poorly written) forms that aren't validating input to strip out script code. >>
References:Microsoft Security Advisory (951306)Vulnerability in Windows Could Allow Elevation of PrivilegePublished: April 17, 2008 | Updated: April 23, 2008http://www.microsoft.com/technet/security/advisory/951306.mspxAmerican Foreign Policy Councilhttp://www.afpc.org/crm/crm271.htmMicrosoft Security Bulletin MS08-006 – ImportantVulnerability in Internet Information Services Could Allow Remote Code Execution (942830)http://www.microsoft.com/technet/security/Bulletin/MS08-006.mspxMicrosoft rings alarm on Windows rights bughttp://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9078959Microsoft: Massive site attacks not our fault
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080678
Thread: Anyone know about www.nihaorr1.com/1.js ?http://forums.iis.net/t/1148917.aspxWired Blog Networkhttp://blog.wired.com/monkeybites/2008/04/microsoft-datab.htmlForbeshttp://www.forbes.com/2008/04/28/hackers-google-china-tech-security-cx_ag_0428hack.html?partner=msnHuge Web hack attack infects 500,000 pageshttp://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9080580&taxonomyId=17&intsrc=kc_top